Superstorm Sandy. The Joplin tornado. The Japanese earthquake and tsunami. California wildfires. 9/11. Catastrophes come in many forms. It is universally understood that despite our best efforts, disaster can strike due to forces beyond our control. Cyber threats are equally dangerous and diverse — and just as unstoppable.

Yet even as catastrophe risk management matures and scores of executives join the catastrophe conversation, the dragon known as cyber risk still sits in the middle of the board room, quietly smoldering.

Advertisement

In every industry and at every company size, cyber risk is a foundation-level exposure that every business must confront — one that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.

As recent as a decade ago, that might have been an overstatement. But not now. Technology and business are fundamentally linked. Computers and the Internet are the primary platform for communicating with customers and vendors, managing profits and expenses, paying employees, operating the machines that produce goods and provide services, and making sure that the end product gets into customers’ hands on schedule. Mobile technology and the Internet of Things are opening new channels, making technology a physical extension of ourselves, both personally and commercially.

“The entire economy is so reliant, in ways that we don’t even see, on technology and the storage, transmission and usage of data, both personal and for analytical purposes, that it’s fundamental to almost every sector,” said Oliver Brew, vice president for professional, privacy, and technology liability at LIU Liberty International Underwriters, the specialty line division of Liberty Mutual in New York.

Video: Computer security expert Mikko Hyppönen explains how he tracked down the creators of the first PC virus, which hit the net 25 years ago, and how to stop the new viruses of today.

That reliance is only going to grow. A January report by Forrester Research described software assets as more critical to business success than financial assets over the next 20 years.

“If you take a look at the public companies’ 10-Ks and publicly disclosed statements, what are they emphasizing that’s going to differentiate them from their competitors, increase sales, decrease costs and maximize efficiency? They focus on the use of technology and the use of information assets,” said Kevin Kalinich, global practice leader for cyber and network risk at Aon Risk Solutions.

With increased technology comes increased opportunity for attack. However, that reality didn’t get a lot of traction in the C-suite until the recent Target breach splashed it across world headlines. Even now, there are still some resting easy, confident that their IT teams have everything under control. Others assume cyber attacks are a threat largely confined to industries such as retail, health care and financial services — sectors with the most data to lose.

Advertisement

Small businesses, in particular, downplay the risk, said Jesse Bessler, an account executive at Lacher & Associates, of Souderton, Pa. “I think it’s that they just don’t understand the risk, and they think that [a cyber policy] is an add-on item they don’t need.”

Increased Sophistication

Security experts, however, are trying to break through the wall of denial. Cyber attacks, they argue, are akin to massive storms or similar to the focused destruction of a tornado — something you can prepare for, but not something you can prevent. Despite firewalls and antivirus programs, experts say, cyber punches will eventually land inside every company.

To grasp the magnitude of the threat, it’s important to recognize that the driving forces behind cyber crime are vast, varied and as uncontrollable as any atmospheric or geologic force. The threat is now ubiquitous, and experts agree that while making an effort to reduce the risk of a breach is important, it is no longer possible to completely prevent cyber attacks.

Kurtis SuhsVice PresidentIronshore

“It’s like two identical cars in a mall parking lot,” explained Kurtis Suhs, vice president and national technology and privacy product manager for Ironshore. “If one’s locked and one’s unlocked, the bad guy’s going to go to the unlocked car. But if the bad guy really wants to get into the locked car, he will — it’ll just take longer.”

And yet, organizations keep brushing off the threat. That may be because “cyber risk” has become synonymous with data theft. If an entity does not have a significant aggregation of customer financial data, executives assume they won’t be targeted. The reality is that the true exposure is no longer just about credit card or Social Security data. Hackers have expanded their target list, adopted a more patient approach and found deep-pocketed sponsors, whether private-sector or state-sponsored, security experts said.

Sophisticated hackers are conducting long-term surveillance and probing for weaknesses they can exploit for financial gain, said David Remnitz, global and Americas leader of Ernst & Young’s forensic technology and discovery services business. “The end result here is the theft of highly valuable, internal information for significant financial gain,” he said.

While that could mean outright theft of trade secrets or confidential M&A data, it could also mean corporate sabotage, as in corrupting a decade of research and development results or putting competitors out of business. Imagine a market where most of the players used one primary vendor as a source for a key ingredient. An organization could contract with a lesser-used source for that ingredient, then disrupt the operations of the primary vendor via a denial-of-service attack or other type of malware, leaving the rest of the market scrambling for suppliers.

The potential for lost business and liability claims could be devastating for the affected companies. Even those with solid business continuity plans in place could still take heavy hits from the reputational fallout.

Advertisement

“A large company might be able to absorb that risk. A small company can’t,” said Elissa Doroff, a vice president and senior advisory specialist in Marsh’s network security and privacy practice in New York.

To date, breaches have largely been limited to individual companies, but the potential for larger events looms. One concern centers on cloud companies, which could host data for hundreds of businesses. A data breach or network interruption, or the physical destruction of a cloud-service data center could wreak larger havoc on the economy.

“That’s a potentially catastrophic loss,” said Doroff.

The sky’s the limit at this point. Criminals are capable of disrupting a multinational corporation, a transportation or logistics network, a health care system, an entire industry or even an entire region, creating havoc and leading to economic losses in the millions or billions — in many situations even putting lives at risk.

Keep in mind that those with ill intent don’t even need to have an IT background — the proliferation of hackers-for-hire means that anyone intent on doing damage can do so if their pockets are deep enough.

That said, it probably wouldn’t take a well-funded ring of genius-level hackers and a sophisticated attack plan to paralyze the average organization. Three years ago, the U.S. subsidiary of Shionogi, a Japanese pharmaceutical firm, suffered a devastating cyber attack that deleted the contents of 88 computer servers, crippling the company’s operations for several days, disabling its email, BlackBerry servers, order-tracking system, and financial management software. The attacker? A former mid-level employee, working from a public
Wi-Fi network at a nearby McDonalds, calmly sipping coffee while bringing Shionogi to its knees.

An Enterprise Approach

Even organizations that have never been affected by a catastrophe generally do not question the need for CAT planning. At the very least, most probably have a written evacuation plan in place and enough insurance to cover the potential physical damage of a storm. The smartest also address the whole picture from a supply chain and business continuity standpoint, and may have even considered questions about how to manage any reputational damage related to interruption of service to customers.

PwC’s report, Cyber Crisis Management: A Bold Approach to a Bold and Shadowy Nemesis, offers a new philosophy and approach to incidence response. This graphic shows the key elements of a structured cyber crisis response.

Cyber exposure should be approached in much the same way. It starts with engineering out the risk to whatever extent possible. If your roof is old, for instance, replacing it may be a way to ensure the building is more likely to stay intact if it’s battered by a storm. The cyber equivalent might be replacing old servers or upgrading any existing automated intrusion detection system. Security experts stress, however, that cyber risk is not an IT exposure, it’s an enterprisewide exposure. Therefore vulnerabilities need to be identified across an entire organization, with policies and procedures modified accordingly.

A comprehensive, enterprisewide disaster plan can also go a long way toward helping companies minimize the damage sustained in the event of a cyber attack. For every function of an organization, management needs to ask hard questions about how a cyber attack could disrupt that function, and what kind of back-up plan each department would need. Do you have a way to contact customers and suppliers if your email goes down? Do you have a crisis communication plan for alerting the public about how you’re handling the situation? Are your records backed up and accessible through a secure third-party?

Advertisement

Increasingly, organizations will rely on insurance to ensure their survival after a cyber event. In a February survey by BAE Systems, nearly 30 percent of companies said they expected the cost of a cyber attack to exceed $75 million. Another 20 percent expected the cost to fall between $15 million and $75 million.

“There’s an expectation that this could have an extremely material effect on business performance, and that’s a risk they look to hedge,” said Paul Henninger, global product director for BAE Systems Applied Intelligence, a business unit of BAE Systems.

Taking a realistic approach to cyber attacks could improve underwriting of the risk, he said. Just as carriers evaluate whether clients are prepared for a CAT-5 hurricane, knowing some damage is likely, they could determine whether clients are ready for a cyber storm.

“You can’t make it go away, but you can minimize the impact on the bottom line and customers and reputation,” he said.

Complete coverage on the inevitable cyber threat:

Risk managers are waking up to the reality that the cyber risk landscape has changed. Every sector must prepare to withstand the storm.

Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.

Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.

Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.

An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.

Cyber risk continues to be the amorphous and seemingly indefensible threat facing businesses of all types and sizes, and insurers are continually tailoring their policies to respond to the changing environment. Making the challenge more difficult is the fact that cyber no longer is constrained to breaches of network security that imperil private information.

Cyber threats now intermingle with other types of exposure, like employee theft and professional liability, and can cause a broader spectrum of loss including property and reputation damage.

“We’re seeing a change now where the malicious actors aren’t just hacking networks to steal information; they’re reaching out from the digital world to cause different types of damage,” said Elissa Doroff, vice president, underwriting and product manager, XL Catlin.

As cyber becomes the root case of various types of tangible damage, it raises questions around what policies will be triggered by an event involving both digital and physical damage, and raises the potential for both gaps and overlaps in coverage.

Here are the top five ways cyber risk is evolving to create gray areas in existing insurance coverages:

1. Infiltration of Industrial Systems Leads to Property Damage

Hackers’ ability to breach a corporate network through various channels is nothing new. But when the intent is to cause physical harm rather than steal data, they can find their way into the industrial controls that operate a facility and wreak havoc.

In 2014, cyber criminals sent a German steel mill up in flames by speeding up the machinery until it became too hot and eventually exploded. The following year, bad actors brought down the Ukrainian power grid through similar methods.

A property policy responds to the resulting physical damages from such an incident, regardless of the cause. But the physical damages are just one piece of the attack.

The targeted organization will also have to investigate how the hackers gained access to their systems and whether they stole or altered any data in the process. The costs of a forensic investigation, restoration of data, notification and any other third-party liability exposures would not be covered under a property policy.

“A cyber policy would respond to network issues like theft of PII or use of transient malware that causes damage to a third party,” Doroff said. “And it would include the first-party coverages to remediate the network breach itself.”

Without a cyber policy, any incident of physical property damage caused by a cyber event would only be partially covered.

2. IoT and Bitcoin Amplify Ransom Risk

“On average, the claims didn’t exceed $50,000. You paid the ransom if you needed to. More sophisticated organizations with good backups knew that they would be safe without paying, so they could just wait for the hacker to go away,” Doroff said.

But the problem is no longer that easy to solve. The explosion of devices connected via the Internet of Things has created more access points to corporate networks.

“When workers connect with their phones outside of a VPN, it may not be bifurcated from the corporate network that has a higher level of security,” she said. “It opens the door for new strains of malware.”

The rise of bitcoin also drives up the ransom amounts sought by hackers. More thieves are asking for their payment in cryptocurrency, which continues to rise in value. This is why having a cyber insurance policy with access to the right breach response vendors is critical.

Since bitcoin is not readily ascertainable on the open market, insureds need access to forensics vendors that maintain a bitcoin wallet. When a ransom is demanded in bitcoin, the vendor can quickly respond to facilitate the transaction and the insured back to business as soon as possible.

“Cyber extortion claims are not $50,000 anymore. With the increase in bitcoin’s ubiquity and value, the cost of a ransomware attacks today can double or triple that amount,” Doroff said.

Where coverage for cyber extortion was once considered a throw-on to a cyber policy, it’s now a critical must-have. Cyber liability insurance without coverage for extortion could leave targets with insurmountable losses after an attack.

3. Social Engineering Expands Definition of Theft

Hackers have become adept at mimicking professional emails to request fraudulent transfers of funds, posing as a client or vendor, or sometimes as a senior manager making a request of a subordinate. Often, the employee tricked into sending the cash doesn’t realize the mistake until it’s too late, and both the thief and the money are long gone.

“That type of theft has created a gap in the insurance market when it comes to treatment of financial fraud,” Doroff said.

A fidelity and crime policy typically would not cover a loss stemming from a social engineering scheme because the funds ultimately were willingly transferred away, even if the employee that did so was deceived. Crime policies may only extend coverage to outright theft of money or securities.

“There has been a push in the marketplace to offer coverage for social engineering fraud within cyber policies, but most of the coverage that exists now is offered on a sub-limited basis,” Doroff said.

As cyber thieves find new ways to bilk businesses, a cyber policy with coverage for social engineering fraud in combination with a crime and fidelity policy closes the coverage gap for emerging types of theft.

4. Data Breaches Threaten Company Reputations

Plenty of high-profile breaches demonstrate how a cyber attack can cause the public to lose faith in an organization they trusted with their personal information. Target, Equifax, Yahoo and Uber are just a few examples.

“Adverse publicity will cause a loss of brand trust that negatively impacts sales, but measuring that impact is the difficult part of designing coverage,” Doroff said. Quantifying exposure is the barrier to developing coverages that adequately address the reputation risk of cyber breaches — but a few methods are emerging.

“We’ll look at a company’s sales over a six-month period after an incident and compare that to the previous year, which provides a snapshot of how much revenue they’ve lost that’s likely attributable to the cyber event,” Doroff said.

But, she added, quantifying the loss is not an exact science. Along with a comparison of sales and revenue, a more thorough financial audit conducted by forensic accountants may be needed. Each carrier will have their own preferred method for measuring reputation exposure.

Because most cyber policies on the market today don’t address this exposure at all, it’s best to work directly with underwriters up front to determine whether there is coverage for financial losses from reputation damage, and how those losses will be accounted for.

5. Storage of Sensitive Data Increases Professional Liability Risk

While theft of PII has always posed a significant threat to financial institutions, hospitals, and other organizations that house large amounts of customers’ private data, some firms previously less concerned with cyber risk are finding that they may have targets on their backs as well.

“This comes up often with professional services firms like attorneys’ offices or financial consultants,” Doroff said. “They have a duty to keep clients’ sensitive information secure. If there’s some third-party incident whereby their clients’ information gets out, they could face costly lawsuits.”

While a professional liability policy likely covers those legal expenses, it won’t cover the first-party losses related to the breach itself, including the investigation, notification and remediation expenses. For more and more firms, “It’s not sufficient to rely on your E&O coverage,” Doroff said.

Staying Ahead of the Coverage Curve

As cyber risks and responding coverages continue to evolve, companies are best served by working with a carrier at the forefront of cyber underwriting. XL Catlin’s cyber and technology liability policy addresses the varying ways in which malicious hackers can infiltrate systems or otherwise cause harm.

“We built this policy based on all the endorsement requests we received from brokers, which meant changing some definitions, removing certain exclusions or broadening some insuring agreements,” Doroff said. “The result is a policy with very broad terms and conditions that is a market leader in terms of what brokers and insureds are looking for.”

“Our services include everything from training articles and videos to tabletop exercises, testing of employees’ response to phishing emails, and an 800-number manned by our claims team,” Doroff said. “Our broad vendor panel also offers several options for law, public relations and forensic firms, to help insureds recover quickly from a cyber incident — whatever shape it takes.”

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with XL Catlin. The editorial staff of Risk & Insurance had no role in its preparation.

XL Catlin. From insurance to reinsurance, a changing world needs new answers. We’re here to find them. With an incredible blend of people, products, services and technology, we have the power to find innovative, creative solutions to your risks — from the most familiar to the most complex.

A growing number of Americans earn their living in the gig economy without employer-provided benefits and protections such as workers’ compensation.

Advertisement

With the proliferation of on-demand services powered by digital platforms, questions surrounding who does and does not actually work in the gig economy continue to vex stakeholders. Courts and legislators are being asked to decide what constitutes an employee and what constitutes an independent contractor, or gig worker.

The issues are how the worker is paid and who controls the work process, said Bobby Bollinger, a North Carolina attorney specializing in workers’ compensation law with a client roster in the trucking industry.

The common law test, he said, the same one the IRS uses, considers “whose tools and whose materials are used. Whether the employer is telling the worker how to do the job on a minute-to-minute basis. Whether the worker is paid by the hour or by the job. Whether he’s free to work for someone else.”

Legal challenges have occurred, starting with lawsuits against transportation network companies (TNCs) like Uber and Lyft. Several court cases in recent years have come down on the side of allowing such companies to continue classifying drivers as independent contractors.

Those decisions are significant for TNCs, because the gig model relies on the lower labor cost of independent contractors. Classification as an employee adds at least 30 percent to labor costs.

The issues lie with how a worker is paid and who controls the work process. — Bobby Bollinger, a North Carolina attorney

However, a March 2018 California Supreme Court ruling in a case involving delivery drivers for Dynamex went the other way. The Dynamex decision places heavy emphasis on whether the worker is performing a core function of the business.

Under the Dynamex court’s standard, an electrician called to fix a wiring problem at an Uber office would be considered a general contractor. But a driver providing rides to customers would be part of the company’s central mission and therefore an employee.

Despite the California ruling, a Philadelphia court a month later declined to follow suit, ruling that Uber’s limousine drivers are independent contractors, not employees. So a definitive answer remains elusive.

The motive for companies seeking the contractor definition is clear: They don’t have to pay for benefits, said Meneghello. “But from a legal perspective, it’s not so easy to turn the workforce into contractors.”

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered in the eyes of the state.” — Matt Zender, vice president, workers’ compensation product manager, AmTrust

It’s about to get easier, however. In 2016, Handy — which is being sued in five states for misclassification of workers — drafted a N.Y. bill to establish a program where gig-economy companies would pay 2.5 percent of workers’ income into individual health savings accounts, yet would classify them as independent contractors.

Unions and worker advocacy groups argue the program would rob workers of rights and protections. So Handy moved on to eight other states where it would be more likely to win.

Advertisement

So far, the Handy bills have passed one house of the legislature in Georgia and Colorado; passed both houses in Iowa and Tennessee; and been signed into law in Kentucky, Utah and Indiana. A similar bill was also introduced in Alabama.

The bills’ language says all workers who find jobs through a website or mobile app are independent contractors, as long as the company running the digital platform does not control schedules, prohibit them from working elsewhere and meets other criteria. Two bills exclude transportation network companies such as Uber.

These laws could have far-reaching consequences. Traditional service companies will struggle to compete with start-ups paying minimal labor costs.

Opponents warn that the Handy bills are so broad that a service company need only launch an app for customers to contract services, and they’d be free to re-classify their employees as independent contractors — leaving workers without social security, health insurance or the protections of unemployment insurance or workers’ comp.

That could destabilize social safety nets as well as shrink available workers’ comp premiums.

A New Classification

Independent contractors need to buy their own insurance, including workers’ compensation. But many don’t, said Hart Brown, executive vice president, COO, Firestorm. They may not realize that in the case of an accident, their personal car and health insurance won’t engage, Brown said.

Workers’ compensation for gig workers can be hard to find. Some state-sponsored funds provide self-employed contractors’ coverage. Policies can be expensive though in some high-risk occupations, such as roofing, said Bollinger.

The gig system, where a worker does several different jobs for several different companies, breaks down without portable benefits, said Brown. Portable benefits would follow workers from one workplace engagement to another.

What a portable benefits program would look like is unclear, he said, but some combination of employers, independent contractors and intermediaries (such as a digital platform business or staffing agency) would contribute to the program based on a percentage of each transaction.

There is movement toward portable benefits legislation. The Aspen Institute proposed portable benefits where companies contribute to workers’ benefits based on how much an employee works for them. Uber and SEI together proposed a portable benefits bill to the Washington State Legislature.

Meneghello is skeptical of portable benefits as a long-term solution. “They’re a good first step,” he said, “but they paper over the problem. We need a new category of workers.”

A portable benefits model would open opportunities for the growing Insurtech market. Brad Smith, CEO, Intuit, estimates the gig economy to be about 34 percent of the workforce in 2018, growing to 43 percent by 2020.

The insurance industry reinvented itself from a risk transfer mechanism to a risk management mechanism, Brown said, and now it’s reinventing itself again as risk educator to a new hybrid market. &

Susannah Levine writes about health care, education and technology. She can be reached at [email protected] Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]

Cookies

We use cookies to ensure we give you the best experience on our site. By continuing to use our site without changing your settings, you're agreeing to our cookie policy. Click to view our cookie policy.